Enterprise production environment user rights centralized management project plan
- Problem status
At present, we have hundreds of servers on the server, a lot of managers on each server (development + operations + Architecture dba+ Products + markets), when you log in to use the Linux server, different functions of the staff level is different, resulting in the operating system is not standardized, Root authority flooding (almost the majority of people have root authority), often lead to files such as inexplicable loss, veteran and novice staff of the server is also different familiarity, so that the company server security there is a great instability, and operational security risks, according to the investigation Enterprise Server environment, 50% The above security issues come from the inside, not the outside. In order to solve the above problems, the single user Management authority is too large, now proposed for Linux Server user Rights centralized management solution.
- Project requirements
We want the root password of the superuser in the hands of a few or only administrators, but also hope that more than one system administrator or the relevant authorized personnel, can complete more and more complex functions related to their own work, and not ultra vires operation caused the system security risks.
Minimized: 1) Minimum installation software. 2) Minimize the permissions of the directory file. 3) Minimize user privileges. 4) Minimize program operation permissions.
So how do you solve the need for more than one system administrator to manage the system without having to overrun the super privilege? This requires sudo management to replace or marry the SU command to accomplish such demanding and necessary enterprise Server user management needs.
3. Concrete implementation
For different departments in the company, according to the specific job functions of employees (such as: development, Operations, database administrators), hierarchical level of implementation of the Linux server Management permissions to minimize, standardize. This reduces the operation and maintenance of management costs, eliminate security risks, but also improve work efficiency, to achieve high-quality, rapid completion of project progress, as well as daily system maintenance.
4. Implementation of the programme
4.1 Information Collection
To convene relevant departments to discuss or communicate with each team leader to determine the feasibility of the Authority management program. People who need support: Operations Manager or director, CTO support, leadership of each department group.
4.2 After determining the feasibility of the scheme, the meeting leader summarizes, submits, and audits all relevant employees ' rights to the Linux server.
5. Plan the rights and staffing configurations as required for the Linux command program and corporate business services.
# # # #权限管理实战项目 ######
1. Establish user
For user in chuji001 chuji002 chuji003 net001 senior001 manager001
Do
Useradd $user
echo "111111" |passwd--stdin $user
Done
2, establish 5 developers, belong to the Phpers group
Groupadd-g 999 phpers
For N inseq 5
Do
Useradd-g phpers php00$n
Done
For user in kaifamanager001 seniorphpers
Do
Useradd $user
echo "111111" |passwd--stdin $user
Done
3, use Visudo edit vi/etc/sudoers new configuration is as follows
Defaults Logfile=/var/log/sudo.log
# #Cmnd_Alias by tim# #2018/01/16
Cmnd_alias cy_cmd_1 =/usr/bin/free,/usr/bin/iostat,/usr/bin/top,/usr/bin/iostat,/bin/ifconfig,/bin/netstat, \
/bin/hostname,/bin/route
Cmnd_alias gy_cmd_1 =/usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,/sbin/ifconfig,/bin/netstat, \
/sbin/route,/sbin/iptables,/etc/init.d/network,/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall,/bin/rpm, \
/usr/bin/up2date,/usr/bin/yum,/sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount
Cmnd_alias ck_cmd_1 =/usr/bin/tail/app/log,/bin/grep/app/log,/bin/cat,/bin/is
Cmnd_alias gk_cmd_1 =/sbin/service,/sbin/chkconfig,/bin/tail/app/log,/bin/grep/app/log,/bin/cat,/bin/ls, \
/bin/sh ~/scripts/deploy.sh
Cmnd_alias gw_cmd_1 =/sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,\
/usr/bin/net,/sbin/iptables,/usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig, \
/sbin/mii-tool,/bin/cat/var/log/
###################################################################################
# #User_Alias by tim# #2018/01/16
User_alias Chujiadmins = chuji001,chuji002,chuji003
User_alias Gwnetadmins = net001
User_alias Chuji_kaifa =%phpers
# #Runas_Alias by tim# #2018/01/16
Runas_alias OP = root
#pri Config
senior001 all= (OP) gy_cmd_1
manager001 all= (All) Nopasswd:all
kaifamanager001 all= (All) all, (All)/usr/bin/passwd [a-za-z], (all)!/usr/bin/passwd root, \
(All)!/usr/sbin/visudo, (All)!/usr/bin/vim, (All)!/usr/bin/viSudoer, (All)!/usr/bin/sudo su –, (All)!/bin/su
Seniorphpers all= (OP) gk_cmd_1
Chujiadmins all= (OP) cy_cmd_1
Gwnetadmins all= (OP) gw_cmd_1
Chuji_kaifa all= (OP) ck_cmd_1
Linux sudo Rights Management project combat